| Summary: | spamassassin new security issue CVE-2020-1946 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | spamassassin-3.4.4-3.mga8.src.rpm, spamassassin-rules-3.4.4-2.mga8.src.rpm | CVE: | CVE-2020-1946 |
| Status comment: | |||
|
Description
Nicolas Salguero
2021-03-29 14:13:00 CEST
Nicolas Salguero
2021-03-29 14:15:10 CEST
CVE:
(none) =>
CVE-2020-1946 Suggested advisory: ======================== The updated packages fix a security vulnerability: In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places. (CVE-2020-1946) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1946 https://spamassassin.apache.org/news.html https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.5.txt https://www.openwall.com/lists/oss-security/2021/03/24/3 ======================== Updated packages in 7/core/updates_testing: ======================== spamassassin-3.4.5-1.mga7 spamassassin-sa-compile-3.4.5-1.mga7 spamassassin-tools-3.4.5-1.mga7 spamassassin-spamd-3.4.5-1.mga7 spamassassin-spamc-3.4.5-1.mga7 perl-Mail-SpamAssassin-3.4.5-1.mga7 perl-Mail-SpamAssassin-Spamd-3.4.5-1.mga7 spamassassin-rules-3.4.5-1.mga7 from SRPMS: spamassassin-3.4.5-1.mga7.src.rpm spamassassin-rules-3.4.5-1.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== spamassassin-3.4.5-1.mga8 spamassassin-sa-compile-3.4.5-1.mga8 spamassassin-tools-3.4.5-1.mga8 spamassassin-spamd-3.4.5-1.mga8 spamassassin-spamc-3.4.5-1.mga8 perl-Mail-SpamAssassin-3.4.5-1.mga8 perl-Mail-SpamAssassin-Spamd-3.4.5-1.mga8 spamassassin-rules-3.4.5-1.mga8 from SRPMS: spamassassin-3.4.5-1.mga8.src.rpm spamassassin-rules-3.4.5-1.mga8.src.rpm Status:
NEW =>
ASSIGNED Installed and tested without issues. Tested on a good number of ham and spam messages, in a setup with fetchmail, dovecot and roundcubemail. Used email clients: kmail, trojita, roundcubemail and failemail (Android). All seems to be working as expected. ====================================================== X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on marte.local X-Spam-Flag: YES X-Spam-Level: ********* X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_99,BAYES_999, HTML_MESSAGE,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.5 X-Spam-Report: * 4.0 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 1.0000] * 5.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 1.0000] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 T_REMOTE_IMAGE Message contains an external image ====================================================== System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver. $ uname -a Linux marte 5.10.25-desktop-1.mga7 #1 SMP Sat Mar 20 17:16:25 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i spamassassin spamassassin-rules-3.4.5-1.mga7 spamassassin-3.4.5-1.mga7 perl-Mail-SpamAssassin-3.4.5-1.mga7 CC:
(none) =>
mageia Tested in a 64-bit MGA8 Plasma vbox guest.
Installed spamassassin packages and dependencies. Then used the above package list in qarepo:
The following 7 packages are going to be installed:
- perl-Mail-SpamAssassin-3.4.5-1.mga8.x86_64
- perl-Mail-SpamAssassin-Spamd-3.4.5-1.mga8.x86_64
- spamassassin-3.4.5-1.mga8.x86_64
- spamassassin-rules-3.4.5-1.mga8.noarch
- spamassassin-spamc-3.4.5-1.mga8.x86_64
- spamassassin-spamd-3.4.5-1.mga8.x86_64
- spamassassin-tools-3.4.5-1.mga8.x86_64
No installation issues. After, tried a minimal test to see if the service would start:
# systemctl start spamd.service
# systemctl status spamd.service
● spamd.service - Spamassassin daemon
Loaded: loaded (/usr/lib/systemd/system/spamd.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2021-04-11 19:09:26 EDT; 27s ago
Main PID: 24096 (spamd)
Tasks: 3 (limit: 4697)
Memory: 100.4M
CPU: 1.702s
CGroup: /system.slice/spamd.service
├─24096 /usr/bin/perl -T -w /usr/bin/spamd
├─24103 spamd child
└─24104 spamd child
Apr 11 19:09:26 localhost.localdomain systemd[1]: Started Spamassassin daemon.
Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server started on IO::Socket::IP [::1]:783, IO::Socket::IP [127.0.0.1]:783 (running version 3.4.5)
Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server pid: 24096
Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server successfully spawned child process, pid 24103
Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server successfully spawned child process, pid 24104
Apr 11 19:09:29 localhost.localdomain spamd[24096]: prefork: child states: IS
Apr 11 19:09:29 localhost.localdomain spamd[24096]: prefork: child states: II
Since the MGA7 update is the same version and has already been tested for functionality, I'm going to give this an MGA8 OK on a clean install and my very minimal test.
Validating. Advisory in Comment 1.CC:
(none) =>
andrewsfarm, sysadmin-bugs
Aurelien Oudelet
2021-04-12 16:20:04 CEST
CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0182.html Resolution:
(none) =>
FIXED Debian has issued an advisory for this on March 27: https://www.debian.org/security/2021/dsa-4879 |